A newly identified vulnerability, CVE-2025-31324, in SAP NetWeaver Visual Composer poses a severe risk of system compromise. This flaw, scoring a perfect 10.0 in severity, allows attackers to exploit systems by deploying web shells. Organizations must assess their SAP Java systems for exposure and take immediate action to mitigate this threat.

Understanding the SAP NetWeaver Vulnerability

The vulnerability, CVE-2025-31324, affects the SAP NetWeaver Visual Composer development server. This critical issue arises from a missing authorization check, allowing unauthorized users to access the Metadata Uploader feature. This flaw is present in the "developmentserver" component of SAP NetWeaver 7.xx, which is designed for creating business tools without coding.

Impact and Exploitation

Research indicates that this vulnerability is active in 50% to 70% of SAP NetWeaver Application Server Java systems. Attackers can exploit this flaw remotely using standard web communication methods like HTTP/HTTPS. The lack of proper authentication allows anyone, even without an account, to interact with the vulnerable system component and upload malicious files.

  • Key Point 1: The vulnerability allows unauthorized access to powerful functions due to missing permission checks.
  • Key Point 2: Attackers target the /developmentserver/metadatauploader web address to exploit the flaw.

Recent Observations and SAP's Response

On April 22nd, suspicious activities were detected on patched SAP NetWeaver servers, suggesting the use of unknown vulnerabilities. SAP acknowledged these issues and released a knowledge base article (SAP KBA 3593336) and a FAQ document (SAP Note 3596125) on April 24th, confirming the presence of malicious files with extensions like '.jsp', '.java', or '.class' in specific folders.

Emergency Updates and Recommendations

SAP officially announced CVE-2025-31324 on April 24th, attributing it to a "Missing Authorization check in SAP NetWeaver (Visual Composer development server)." An out-of-band emergency update has been released to address this issue. SAP urges customers to check their Java systems and implement the official fix to mitigate the risk.

The link has been copied!